Differences

This shows you the differences between two versions of the page.

--- howto:nix_hosts [2023/06/03 22:07] – tcmal
+++ howto:nix_hosts [2023/07/29 11:14] (current) – removed tcmal
@@ Line 1: / Line 1: @@
-====== Working on NixOS hosts / Core services ======
-Our 'core services' (the stuff we're more scared of changing), are mostly managed with Nix - a functional programming language, build system, configuration tool, and hard disk stress tester wrapped into one.
-A lot of this is specific to Tardis core services nix, and is mostly geared towards people needing to make superficial changes, that probably haven't learnt Nix.
-===== 'I-just-want-to-add-a-vhost-why-is-this-so-hard' =====
-Our core services is setup to deploy whatever's on ''main'' to all of our machines. This means if you know exactly what you need to change, you can probably avoid doing any actual building or deploying locally.
-With that said, you should still use a syntax checker / linter. You can download [[https://github.com/kamadorueda/alejandra|alejandra]], our linter. Make your changes, then run ''alejandra .'' to check syntax, and format it. Double check your changes to make sure you haven't completely changed the meaning of the file - if the indentation is the same everywhere else you're probably fine.
-[[https://cheat.readthedocs.io/en/latest/nixos/nix_lang.html|Here]] is a small cheatsheet for the nix language - alternatively, just look at the parts around what you're editing. Here are some common files you might need to edit:
-  * [[https://git.tardisproject.uk/tardis/nix/-/blob/main/profiles/services/email/postfix.nix|Email domains]] (see [[hosts:virtual_machines:web:mail|here]] for full steps)
-  * [[https://git.tardisproject.uk/tardis/nix/-/blob/main/profiles/services/web/default.nix|Reverse Proxy Entries]]
-  * [[https://git.tardisproject.uk/tardis/nix/-/blob/main/profiles/services/metrics/prometheus.nix|Prometheus Targets]]
-**You won't be able to merge directly into main**, for hopefully obvious reasons. Make a branch and an MR, then ask someone else to approve it.
-===== Prolonged work =====
-If you're doing a lot of work and want to deploy and redeploy without pushing to CI, you'll need to do some local setup. Fortunately - you don't need a lot of disk space (all of our hosts take up about 11G). We can do all the actual building remotely, and only do some local config to make Nix forward things properly.
-==== Installing Nix ====
-You'll need something running *nix - either a VM or WSL. MacOS (Darwin) should work, but we haven't tested it.
-We recommend the [[https://github.com/DeterminateSystems/nix-installer|determinate systems nix installer]], which can be run as simple as:
-<code>
-curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | sh -s -- install
-</code>
-It gives you basically the same setup as [[https://nixos.org/download.html|the official Nix installer]] (which you can use if you have any problems), but it enables some extra commands, and especially flakes.
-If you do use the official Nix installer, add ''extra-experimental-features = flakes nix-command'' so you can use these extra features. Don't worry - they're barely experimental anymore and are pretty widely deployed.
-==== Extra Setup ====
-Remote building works like this:
-  - Upload your sources to our build server
-  - Have it build it
-  - When you deploy, everything gets downloaded from the build server
-For packages we're not building (most packages that we haven't modified), we want the build server to download it directly from Nix's cache, as opposed to the default where you download it then copy to the build server.
-To fix this, add ''builders-use-substitutes = true'' to ''/etc/nix/nix.conf''.
-Lastly, we need //root// to have passwordless ssh to ''nixbuild.internal.tardisproject.uk''. This involves proxying through our SSH bastion. You can find more details [[howto:ssh_proxy|here]], but you'll need to add something like this **to ''/etc/ssh/ssh_config''**:
-<code>
-Host tardis
-    User USERNAME
-    IdentityFile /path/to/your/ssh_key
-    HostName tardisproject.uk
-Host nixbuild.internal.tardisproject.uk
-    User root
-    HostName nixbuild.internal.tardisproject.uk
-    ProxyJump tardis
-    IdentityFile /path/to/tardis/admin/key
-</code>
-[[hosts:virtual_machines:nixbuild:nix_build_server|This page]] has more info on Nix build servers, and how they're used.
-Finally, for deployment, you'll need to be able to ssh (from your user) into ''%%<hostname>.tardisproject.uk%%'' without any password. This is covered [[howto:ssh_proxy|here]].
-If you've gotten this far, test everything with these commands:
-<code>
-# Test using the remote build server
-nix store ping --store ssh://nixbuild.internal.tardisproject.uk
-# Test passwordless SSH to root@ wherever youre deploying
-ssh web.tardisproject.uk
-</code>
-==== Doing the thing ====
-Now that you're all setup, you can use the 3 scripts in our repo for most tasks:
-  * ''scripts/eval_system <hostname>'' evaluates a given hostname and does some basic checks like that options exist, etc. Nothing gets built, and this doesnt even require remote building.
-  * ''colmena apply switch --on=<hostname>'' builds and deploys the given hostname - all remotely. Skip the ''on'' flag if you want to deploy everything.
-  * ''colmena apply build --on=<hostname>'' just builds the given hostname, but doesn't switch to it.
-And some routine Nix tasks:
-  - ''nix flake update'' - Update all inputs
-  - ''nix flake lock --update-input <name>'' - Update a specific input, ie ''sonic-screwdriver''